Cyberattack could leave UK 'fatally compromised', MPs warn

A major cyber-attack on the UK could leave the UK's armed forces "fatally compromised" without a viable 'plan b' a committee of MPs has warned the Government.

Despite acknowledging the UK's world-leading expertise in the cyber-defence, the influential Defence Select Committee uncovered a complex web of weaknesses and uncertainties that it said urgently needed to be addressed.

The first was simply a general complacency about the amount of progress that had been made to date, and a lack of clarity about how military and government might respond in certain scenarios.

"The evidence we received leaves us concerned that with the Armed Forces now so dependent on information and communications technology, should such systems suffer a sustained cyber-attack, their ability to operate could be fatally compromised," the Committee's report concluded.

Despite this, it was unacceptable that the Government had yet to set out its cyber-attack contingency plans, nor even whether it had one in place.

"Events in cyberspace happen at great speed. There will not be time, in the midst of a major international incident, to develop doctrine, rules of engagement or internationally-accepted norms of behaviour," said the MPs.

The committee was also unconvinced that the Ministry of Defence had done enough to secure its supply chain and industrial base.

"It is imperative that we see evidence of more urgent and concrete action by suppliers to address this serious vulnerability, and of energy and determination on the part of the MoD to enforce this action."

There was a risk that different Parts of the armed forces competed with one another for resources, leading to fragmentation into 'silos'.

The UK had recently become involved in the NATO Cyber-Defence Centre of Excellence but needed to accelerate its efforts on this initiative.

In short, the stresses of cyber-defence have challenged the whole defence system to change its models from one based on physical assets to the acknowledgement that any future conflicts will have a frightening electronic and digital dimension.

The MPS seem to be saying that the military and perhaps government have yet to fully digest the implications of this change.

"Interestingly, the UK was placed first of the G20 in its ability to withstand cyber-attacks and deploy the appropriate infrastructure for a productive economy, according to Booz Allen Hamilton's recent Cyber Power Index," pointed out Martin Sutherland of BAE Systems Detica.

"We need to encourage more organisations to share best-practice approaches to cyber security and provide more information about the nature of the attacks they're seeing, particularly given that many private sector firms act as suppliers to Government or are delivering essential services that our nation relies upon every day," he said.

An anxiety running through the report is the ambiguity of cyber-attacks and in quickly identifying who is responsible, and in which circumstances retaliation might be justified.

"The other serious issue when it comes to cyber-attacks on the military is that even once a cyber-breach has been remediated and any potential damage minimised, there often remains an enormous amount of uncertainty surrounding the origins of the attack," agreed LogRythm's Ross Brewer.

In fact, this might just be a consequence of the lack of ready precedents for the military to study; others have argued that in a real-world scenario the chances of a country not having a good deal of knowledge about who was attacking it are over-stated. The real issue is how to respond.

Another approach would be for the UK Government to press for international co-operation; today's Internet is still to open to exploitation by small groups, including criminals, and that's before fully-resourced militaries are added to the calculation.

"There is no current legislation to facilitate the prosecution of [international] cybercrime," pointed out Andrew Beckett, head of Cassidian Cyber Security Consulting Services.

"If an attacker sits in the Ukraine and attacks a server in Texas to gain control and mount another attack on a UK organisation then whose jurisdiction does the crime fall under? Who can prosecute it and under which law?," he said.

"There is currently no extradition treaty and no agreements in place for the exchange of evidence which means that criminals are able to operate with impunity."

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.